(78 FR 5574). However, even if no matching agreement is required because a company assists the counterparty in its own administrative or administrative functions, HIPAA limits the use or disclosure of PHI by the company: 3rd member of an organized health facility. Covered institutions participating in organized health care (OHCA) are not business partners of each other, while they perform functions on behalf of the OHCA; «As a result, they can use [PHI] for OHCA`s joint health activities and disclose them without entering into a matching agreement.» (OCR FAQ; see 45 CFR 160.103). An OHCA (1) is «a clinically integrated care framework in which people are generally cared for by more than one health care provider» (for example. B a hospital and its medical staff); (2) an organized health care system involving more than one covered company and in which the participating companies involved conduct a joint review of operations, quality improvement or payment activities (e.g. B supplier networks); or (3) certain agreements between group health plans and other insurers. CFR 160.103). The OHCA waiver only applies to covered businesses (for example. B health care providers and health plans) who perform functions for the OHCA; It does not apply to other entities that require PHI to perform functions on behalf of OHCA. With respect to the question of what «routine access» to [PHI] means in determining the types of data transmission services that are counterparties to mere lines, such a provision will be concrete on the basis of the nature of the services provided and the extent to which the company needs access to [PHI] to provide the service to the company concerned. The exclusion from the channel is narrow and is intended to exclude only services that provide only courier services, such as the U.S.
Postal Service or United Parcel Service and their electronic equivalents, such as Internet Service Providers (ISPs), which provide only data services. As noted in the guide, a line carries information, but only randomly or rarely accesses how it is necessary to provide transportation service or as required by other laws. For example, a telecommunications company may have occasional and random access to [PHI] when it verifies that data transmitted over its network arrives at its normal destination. Such random access to [PHI] would not qualify the company as a business partner. On the other hand, an entity with access to [PHI] is required to provide a service to a covered unit, such as .B. a health information organization that manages the exchange of [PHI] through a network of companies covered by the use of data locator services for its subscribers (and other services) is not considered a channel and is therefore not excluded from the definition. «[A] a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered company, or provides certain services that include consideration of protected health information.